Hello! I'm fairly new to the stack but I have an ELK system setup and consuming logs from a production webserver. I'd like to setup some Watches. When I go to setup a Watch it asks for a name and index, so I provide a name and index (logstash-*). But how do I define my query? For example I'd like to narrow things down by app_id, type and then a condition (response code from server).
All I'm provided with is this:
So where do I set my query?
Hey,
you have selected to configure a threshold alert, which basically is a threshold above a certain aggregated value.
If you want to use a query, you need to write a watch yourself using the Advanced watch method. This means you are writing the watch yourself. The first thing you should take a look is probably getting started with watcher and then the search input
hope this helps!
--Alex
Ahh! So there is no UI component to select pieces and put together a watch. Was hopeful given that some of the SaaS solutions based on ELK have that. All good, will read!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
